Find the Source of Account Lockouts in Active Directory

By | 18/06/2018

Make sure you have the active directory module loaded on the machine you run the script from:

###################

Import-Module ActiveDirectory

$ErrorActionPreference = “SilentlyContinue”

Clear-Host

$User = Read-Host -Prompt “Please enter user name”

$PDC = (Get-ADDomainController -Discover -Service PrimaryDC).Name

$DCs = (Get-ADDomainController -Filter *).Name #| Select-Object name

foreach ($DC in $DCs) {

Write-Host -ForegroundColor Green “Checking events on $dc for User: $user

if ($DC -eq $PDC) {

Write-Host -ForegroundColor Green $DC is the PDC”

}

Get-WinEvent -ComputerName $DC -Logname Security -FilterXPath “*[System[EventID=4740 or EventID=4625 or EventID=4770 or EventID=4771 and TimeCreated[timediff(@SystemTime) <= 3600000]] and EventData[Data[@Name=’TargetUserName’]=’$User‘]]” | Select-Object TimeCreated,@{Name=‘User Name’;Expression={$_.Properties[0].Value}},@{Name=‘Source Host’;Expression={$_.Properties[1].Value}} -ErrorAction SilentlyContinue

}

###################

This script scans ALL Domain Controllers and not just the PDC,

After you have found the source of user lockout, go to each PC and disconnect the session or look for running scheduled tasks or scripts under this user context.  Rebooting the locking PC if possible, is also a good practice.

Please follow and like:

Leave a Reply

Your email address will not be published. Required fields are marked *